## Abstract

We propose a continuous variable based quantum key distribution protocol that makes use of discretely signaled coherent light and reverse error reconciliation. We present a rigorous security proof against collective attacks with realistic lossy, noisy quantum channels, imperfect detector efficiency, and detector electronic noise. This protocol is promising for convenient, high-speed operation at link distances up to 50 km with the use of post-selection.

©2009 Optical Society of America

## 1. Introduction

Quantum key distribution (QKD) systems [1, 2, 3] make use of optical quantum fluctuations to establish shared secret keys between two legitimate users (Alice and Bob) such that an eavesdropper (Eve) who makes optimal physical measurements can know, on average, none of the bits of the secret key. After a number of samples of a correlated randomvariable are obtained by means of quantum measurements, a reconciliation phase assures agreement of Alice and Bob’s data. Finally, a privacy amplification phase uses universal hash functions to eliminate Eve’s potential partial information at the cost of shrinking the length of Alice and Bob’s shared data. Systems thatmeasure arrivals of single photons are called discrete variable systems, while those that use homodyne or heterodyne detection to measure the continuous-valued electromagnetic field and are called continuous variable systems [4]. Discrete QKD is well developed in terms of security analyses, experiments, and commercial products. One important avenue of research for QKD systems seeks to improve rates. The counting rate limitations for non-cryogenic detectors are 15 MHz for silicon photon counters and new greatly improved counter speed of approximately 100 MHz for InGaAs photon counters. These limits are due to dead times required to clear avalanche carriers, which produces spurious afterpulsing counts.

Unlike photon counters, homodyne and heterodyne detectors do not require dead times and thus continuous variable QKD (CVQKD) systems [5, 6, 7] are in principle scalable to standard telecom rates, such as 10 GHz. However, homodyne and heterodyne measurements result at minimum in vacuum noise manifesting its self as Gaussian distributed randomness with noise power that remains constant as signals attenuate with length. This limits the achievable secure link length to a smaller distance than is achievable for discrete QKD. Thus CVQKD may be preferable at short and medium distances.

The two classes of CVQKD systems use continuous signaling [7, 8] and discrete signaling [9]. Continuous signaling, where Alice sends 2 independent Gaussian distributed random variables in the x and y quadratures of the field, is themost studied because proofs against individual and collective attacks exist [10, 11, 12, 13]. An individual attack describes manipulation of individual timeslots and optimal quantum measurement by Eve on light in that timeslot, while collective attacks describe manipulation of individual timeslots and optimal joint measurement of several or many timeslots. State-of-the-art continuously signaled experiments provide security against collective attacks, and demonstrate final key rate limited to 2 kB/sec [14]. This limitation is due not to the physical layer, but to the time required to implement reconciliation on a typicalmicroprocessor. Attempts to increase speed have led to proposals for post-selection, and recently to a protocol that can be proved secure against collective attacks if infinite dimensional conditional homodyne tomography can be implemented on a subset of data [15]. It has been clear to many CVQKD researchers that a discretely signaled CVQKD protocol would be advantageous in terms of simplicity and several have been proposed. However, it has been pointed out that the security of discretely signaled systems under collective attacks remains an open problem for the practical case of excess noise in the channel [16]. Very recent work on the security of a binary modulated CVQKD system [17] showed quite limited tolerance to excess noise. However, we will show that quantum tomography in a protocol can greatly improve the situation.

In order to increase distance, the technique of post-selection has been proposed for CVQKD [18, 19, 20, 21]. In post-selection schemes, only a subset of the data is used, improving the signal-to-noise ratio between Alice and Bob. CVQKD experiments have been implemented with post-selection [19, 20, 21], but without security proofs. Although Gaussian attacks have been proved to be optimal against continuously signaled CVQKD systems, the optimal attack for post-selection based CVQKD protocols is unknown yet. Recent recent progress on the security analysis of post-selection [15] gave a proof of a post-selection protocolwhen there is excess gaussian noise introduced into the channel. The protocol presented in their paper requires full conditional state tomography.

In order to permit faster and longer links, one needs to overcome the following obstacles. First, a very efficient reconciliation protocol is needed. Although theoretically, reverse reconciliation enables CVQKD links of infinite distance, as CVQKD link length increases, the minimum reconciliation efficiency required for positive secrecy capacity, *β*
_{0}, approaches 1. This differs from discrete QKD. Second, reconciliation needs to be simple and fast. In order to correct errors between Alice and Bob, one usually seeks continuous variable based error correction codes to be as efficient as possible. However, highly efficient error correction codes are also slow. We note that codes for binary symmetric channel are usually simpler and faster. By turning the continuous variable based error correction problem into a binary based error correction problem, several advantages come. First, it is easier to find corresponding error correction codes working at a rate very close to Shannon limit while keeping a lower decoding complexity. Furthermore, if the required error correction efficiency is lowered for a given distance, then we may be able to find a reconciliation code with corresponding lower efficiency but greater speed. As a result, the distance and throughput of CVQKD systems would be significantly improved.

We propose a protocol for discretely signaled CVQKD that is designed for simple implementation with normal network hardware and with the goal of improving reconciliation speed. The protocol uses reverse reconciliation only and can optionally use post-selection. We prove security for collective attacks on a lossy, noisy channel. The novel contributions of this paper are the combination of discrete signaling with tomography on a subset of data to restrict Eve’s attacks, the use of novel analytical and computational techniques for calculating collective security with channel excess noise, and the level of attention that is paid to reconciliation speed in the design and analysis. The paper is organized as follows: Section II contains a description of the protocol, while Section III contains a security analysis under collective attacks. We have placed computational details in the Appendix. Section IV contains security results for some practical cases of interest, Section V is a general discussion of the results, and we conclude in Section VI.

## 2. The quantized input-quantized output CVQKD protocol

According the previous discussions, binary reconciliation is attractive in order to improve CVQKD distance and speed. In 2006, Namiki proposed a CVQKD scheme using discrete encoding and post-selection [9]. Although the protocol then results in binary reconciliation, the security analysis was only developed for individual attacks. Second, the experimentally relevant case of excess noise in the channel was not treated. This case is important because system imperfections typically result in some additional noise, which should be treated for security purposes as if Eve controls it. Third, for low channel efficiency, the possibility of selecting a quantum state is low enough that most of the measurements are discarded.

In order to obtain positive secrecy capacity, it is desirable that Alice and Bob nearly achieve the capacity of the channel given the signal-to-noise ratio. Recently, a new result of classical information theory [22] shows that for a lossy gaussian channel with given signal-to-noise ratio, when Bob quantizes the received data, the optimal way for Alice to encode data is to also send quantized data. Specifically, under the condition that Bob performs binary quantization, Alice needs only send binary data and achieve the channel capacity. This result is significant for reverse-reconciliation CVQKD because it indicates that if Bob quantizes the data received, then Alice does not need to send gaussian modulated signals but should send binary signals.

The quantized input-quantized output(QIQO) CVQKD protocol is described below:

**Step 1**: Alice randomly picks up a random variable *x _{k}* ∈ {1,2,3,4} and encodes a coherent state ${\mid {\phi}_{{x}_{k}}\u3009}_{k}\in \left\{\mid {\alpha}_{1}\u3009=\mid r+ri\u3009,\mid {\alpha}_{2}\u3009=\mid r-ri\u3009,\mid {\alpha}_{3}\u3009=\mid -r+ri\u3009,\mid {\alpha}_{4}\u3009=\mid -r-ri\u3009\right\}$, where

*r*is a positive real number depending on Bob’s signal-to-noise ratio and k denotes the index of time slot, and sends it through a lossy and noisy quantum channel. Alice’s encoding scheme can be described in Fig. 1.

**Step 2** Bob receives a quantum state from the quantum channel. With probability *p*, each measurement is assigned to channel characterization, where Bob randomly chooses a local oscillator phase *ϕ _{k}* of 0,

*π*/4 or

*π*/2, makes a homodynemeasurement and records the real result [23]. With probability 1-

*p*, that measurement is assigned a data collection index

*k*, where Bob randomly chooses a local oscillator phase

*ϕ*of 0 or

_{k}*π*/2 before performing homodyne detection. If his measurement result is greater than T, where T≥0 is Bob’s decision threshold, then he quantizes the result to

*qk*=1. If Bob’s measurement result is less than -

*T*otherwise, he quantizes the data to

*qk*=−1. For other cases where his measurement result is between -

*T*and

*T*, Bob quantizes his data to

*q*=0. When

_{k}*q*=0, the data from the corresponding time slot will not be selected in the post processing. When

_{k}*T*=0, it reduces to the case without post-selection.

To summarize these two steps, Alice uses random QPSK signaling but Bob’s collected data are digitized BPSK.

**Step 3:**When all quantumcommunication has been finished, Bob reveals to Alice which time slots that were used for characterization phasemeasurements. Alice reveals to Bob the state that she has sent for those time slots. Then Bob performs conditional quantum tomography for each one of the four particular coherent states that Alice sent. Only three different collection angles are required to achieve a good estimate of the received state [23]. We know that without Eve, the channel can be modeled as a beamsplitter with two inputs, one of which is Alice’s output to the quantum channel and the other one is the excess channel noise mode.

where *b*̂ is the output of beamsplitter going to Bob’s detectors and η is quantum efficiency of the quantum channel. For any field quadrature of Bob, we have

Assume *p _{b}*(

*q*),

*p*(

_{a}*q*) and

*p*(

_{εn}*q*) are the possibility distributions of the three quadratures, we have

where * is a convolution. By Fourier transform techniques, we can find *p _{ε}* (

*q*) once we know

*p*(

_{a}*q*) and got

*p*(

_{b}*q*) fromtomography. Therefore, we can also reconstruct ${\hat{\rho}}_{{\epsilon}_{n}}$ based on quantum tomography on

*$\tilde{\rho}$*. For the protocol, Bob performs quantum conditional tomography for all four cases. Then Bob can reconstruct ${\hat{\rho}}_{{\epsilon}_{n}}$ for all four cases. The protocol requires that the reconstructed ${\hat{\rho}}_{{\epsilon}_{n}}$ for all four cases to be the same. Otherwise, Alice and Bob abort the protocol.

_{b}**Step 4:** For each data collection time slot, Bob reveals the local oscillator phase that was chosen. If Bob used *ϕ _{k}*=0, then Alice records

*a*=1 for the case where

_{k}*x*=0 or

_{k}*x*=1 and

_{k}*a*=−1 for the case where

_{k}*x*=2 or

_{k}*x*=3. If Bob used ${\varphi}_{k}=\genfrac{}{}{0.1ex}{}{1}{2}\pi $, then Alice records

_{k}*a*=1 for the case where

_{k}*x*=0 or

_{k}*x*=2 and

_{k}*a*=−1 for the case where

_{k}*x*=1 or

_{k}*x*=3.

_{k}**Step 5:** Bob sends checkbits to Alice over a public channel, i.e. *reverse reconciliation*. The reconciliation is strictly one-way.

**Step 6:** Alice and Bob perform privacy amplification to distill the final secure key.

## 3. Security analysis

In this section, we analyze the security of the QIQO CVQKD protocol against collective attacks, where Eve interacts with incoming quantum states individually and makes joint multi-timeslot measurements after knowing Bob’s measurement basis. The security of CV QKD systems can be guaranteed by fundamental limits of the noise coming from the quantum measurements. However, since the quantum channel can always introduce some excess noise, this amount of noise could potentially have been introduced by Eve, and may thus weaken the security of the system. We treat the excess channel noise rigorously. We divide this section into two subsections. In the first subsection, we analyze the simpler case where there is no excess channel noise but Bob’s homodyne detector has a given quantum efficiency and Bob also has some additive gaussian electronic noise. We will give an analytical solution for this case. In the second subsection, we analyze the case where measured excess noise is assumed to have the quantum channel as its source.

For collective attacks, the secrecy capacity between Alice and Bob in bits per channel use is defined to be

where *I*(*A;B*) is the mutual information between Alice and Bob. However, practical reconciliation codes do not reach the Shannon limit. If we define a reconciliation efficiency *β*, then the practical secrecy capacity in this case becomes

In order to make the practical secrecy capacity positive so that Alice and Bob can distill a secure key by privacy amplification, there exists a minimal required reconciliation efficiency *β*
_{0} where

For the binary symmetric channel in our protocol, *I*(*A;B*) can be completely determined by the signal-to-noise ratio of Bob. *I*(*A;B*) can be calculated as Eq. (7) and Eq. (8),

where *h*(*p*)=−*p*log_{2}(*p*)−(1−*p*) log_{2}(1−*p*) is the binary entropy function.

*χ*(*B;E*) is the Holevo information between Bob and Eve, which is defined to be

where *S*(*ρ*̃*E*) is the von Neumann entropy of Eve’s mixed state. *ρ*̃*E*|_{q=i} is Eve’s mixed state given Bob’s measurement result and *p _{i}* is the probability that Bob’s measurement is

*i*. For our binary symmetric case, we can rewrite

*χ*(

*B;E*) to be

for an optimal attack.

#### 3.1. Analytical solution for no excess channel noise case

When there is no excess channel noise, Bob’s received state is a coherent state given Alice sent a particular quantumstate. When the tomographic subset verifies Bob’s received state, Eve’s only possible attack is a beam splitter attack, where Eve replaces the lossy channel with a perfect one and uses a beam splitter to simulate the lossy effect of the channel. Suppose the quantum efficiency of the quantum channel is h, then Bob’s received quantum states are |√η*α _{i}*〉 and Eve’s received quantum states are $\mid \sqrt{1-\eta}{\alpha}_{i}\mid \u3009$. It is straight forward to give the expression for

*ρ*̃

*E*,

The second term of *χ*(*B;E*) relates directly to the error rate of the binary symmetric channel. Let’s consider the case where Bob chose *ϕ*=0 as the phase for homodyne detection. Given Bob’s quantized data q=1, the possibility that Alice sent |*α*
_{1}〉, |*α*
_{2}〉, |*α*
_{3}〉 and ${p}_{1|q=1}=\genfrac{}{}{0.1ex}{}{1}{2}\left(1-{e}_{AB}\right)$, ${p}_{2|q=1}=\genfrac{}{}{0.1ex}{}{1}{2}{e}_{AB}$, ${p}_{3|q=1}=\genfrac{}{}{0.1ex}{}{1}{2}\left(1-{e}_{AB}\right)$ and ${p}_{4|q=1}=\genfrac{}{}{0.1ex}{}{1}{2}{e}_{AB}$ respectively. Therefore, the second term of *χ*(*B;E*) is

The error rate eAB is directly related to the signal-to-noise ratio of Bob. Suppose the vacuum variances of both quadratures are $\u3008\Delta {X}^{2}\u3009=\u3008\Delta {Y}^{2}\u3009={V}_{S}=\genfrac{}{}{0.1ex}{}{1}{4}$ and the variance of electronic noise is *V _{el}*, then variance of Bob’s detection noise is

The signal-to-noise ratio then reads,

where ${u}_{i}=\Re \left\{\sqrt{\eta {\eta}_{m}}{\alpha}_{i}\right\}$ is Bob’s average value of *X* quadrature when Alice sent *α _{i}*. η

_{m}is the detection efficiency of the homodyne detector. Combining Eq. (13) and Eq. (14), we have

Together with Eq. (7), we calculate the error rate of the binary symmetric channel between Alice and Bob. Combining the above equations, we get the analytical expression for the secrecy capacity between Alice and Bob for the case where there is no excess noise.

#### 3.2. Numerical simulation for the general case with excess channel noise

In the case where excess noise is introduced into the quantum channel, the analysis is more complicated and numerical simulations are required. We will prove that with small amounts of excess noise, the security of the QIQO CVQKD scheme can still be guaranteed. The details of the numerical simulation are listed in the appendix.

### 3.2.1. Validity of channel model

We will show that Eve’s optimal collective attack is the entangling beamsplitter attack (see Fig. 2), where Eve replaces the lossy fiber with a lossless channel and mixes one of two entangled beams (${\hat{\rho}}_{{\epsilon}_{n}}$) on a beamsplitter while additionally monitoring one of the outputs (${\hat{\rho}}_{{\epsilon}_{r}}$). Conditional homodyne tomography serves to make the optimality of the entangled beamsplitter attack provable.

We need note that Eve’s attack is a unitary operator which maps the product state of Eve’s original ancillary state and Alice’s output state to the input state measured by Bob’s detectors and to the final ancillary state. If the input ancillary state and Alice’s output state are given, and the output states of the unitary operator are also given, then the unitary operator can be regarded as a black box. In this case, the internal structure of the black box does not matter because the secrecy capacity of the system is only a function of the output of the black box. In other words, only the output quantum state matters and how the state was generated does not. Eve’s unitary operation can be denoted as

where *i* denotes Alice’s picked state and |ψ〉_{E} denotes Eve’s original ancillary states. Then Bob’s incoming density matrices are given by a trace over Eve’s Hilbert space

We know that ${\rho}_{{b}_{i}}$ can be obtained by quantumconditional tomography and according to Eq. (1), each *b̂ _{i}* can be expresses as a superposition of Alice’s mode and another excess noise mode, we can decompose

*M*̂ into three different unitary operators

*Ô, P̂*and

*Q̂. Ô*creates ${\hat{\rho}}_{{\epsilon}_{n}}$ from Eve’s original ancillary states

where *Tr _{r}* denotes the trace over the rest Eve’s state beside

*ε*. The role of operator

_{n}*P*̂ is to interact ${\hat{\rho}}_{{\epsilon}_{n}}$ with |

*α*〉 on a beamsplitter to create ${\rho}_{{b}_{i}}$.

_{i}*P*̂ can be written as

The role of *Q*̂ is to map the final state back to |¦_{i}〉. We have

Since for all four cases, *M*̂ and *Ô*, *P*̂, *Q*̂ give the same output, the decomposition is therefore equivalent to the unitary operator *M*̂. The idea of decomposition can be found in Fig. 3.

We note here that the operator *Q*̂ is a post-processing on Eve’s states. According to quantum data processing theorem [24], this operation does not increase Eve’s accessible information. Therefore, we can safely only consider the system without *Q*̂ since *Q*̂ can only decrease Eve’s accessible information. In anther word, considering ${\rho}_{{\epsilon}_{r}}$ and ${\rho}_{{\epsilon}_{n}^{\prime}}$ is enough for calculating Eve’s accessible information.

### 3.2.2. Mathematical description of the channel model

As an example, we calculate an representative case where the excess channel noise is thermal. If the channel noise is not thermal, as long as we reconstruct ${\rho}_{{\epsilon}_{n}}$, we still can use the same method to calculate the secrecy capacity. In Fig. 2, ${\hat{\rho}}_{{\epsilon}_{n}}$ is Eve’s input mode to the operator *P*̂. Whatever Bob’s state, he can infer Eve’s input mode because he also knows Alice’s sent state. Mathematically, ${\hat{\rho}}_{{\epsilon}_{n}}$ can be written as,

In the Schrödinger picture, we assume Eve’s State to be a pure state ${\mid \Psi \u3009}_{{\epsilon}_{n},{\epsilon}_{r}}$, where the subscript εr denotes the rest of the system modes besides *ε _{n}*. One should note that although the notation here implies that Eve is using a two mode state, Eve is not actually limited to a two mode state. The quantumtomography only guarantees that the inputmode εn to the beamsplitter be a thermal state. Subscript εr denotes Eve’s arbitrary number of modes, that remain besides

*ε*. Since Eve’s entire quantum state is pure, the condition in Eq. (22) must satisfy,

_{n}Without loss of generality, one can assume ${\mid \Psi \u3009}_{{\epsilon}_{n},{\epsilon}_{r}}$ has the form in Eq. (23),

where 〈*ϕ*(*n*)|*ϕ*(*n*′)〉=*δ _{n,n}*′.

Similar to other security proofs of CVQKD schemes, we make use of an entanglement based picture: we assume Alice also has a entanglement source that generates the quantum state in Eq. (24),

which is a two mode state. In mode *a*′, the state is expressed in the Fock basis and in mode *a* the state is expressed in the coherent basis. Alice then makes a photon number counting measurement onmode *a*′, which projects the state of mode a into one of the four coherent states, i.e., ${\hat{\rho}}_{a}=T{r}_{a\prime}\left({A|\psi \u3009}_{a,a\prime}\u3008\psi |A\right)=\sum _{i=1}^{4}\genfrac{}{}{0.1ex}{}{1}{4}|{{\alpha}_{i}\u3009}_{a}\u3008{\alpha}_{i}\mid $, which corresponds to the case where Alice randomly chooses one of the four coherent states and sends it through the quantum channel. The quantum state of the entire system becomes

where *B*̂_{b,hom}(η_{m}) and ${\hat{B}}_{a,{\epsilon}_{n}}\left(\eta \right)$ denote the unitary operator of BS_{1} and BS_{2}.

Bob then makes a homodyne measurement on mode *b*′. Each measurement results, by the state reduction postulate of quantum mechanics, in the rest of the system is collapsing into a pure quantum state. Suppose Bob’s homodynemeasurement results in a real-valued number *X*, then the system collapses into the state

Tracing over Alice’s mode *a*′ and the hom mode, one obtains Eve’s density matrix given the measurement result *X*,

The probability that *ρ*̂* ^{X}_{E}* is generated is

Eve’s density matrix *ρ*̂_{E} is then of the form Eq. (29),

Experimental homodynemeasurements result in classical electronic noise, resulting in a real-valued measurement *r _{B}*=

*X*+

*N*that is the sum of

_{el}*X*, from the homodyne measurement, and

*N*, which is a Gaussian distributed random variable denoting the electronic noise.

_{el}*Without*post-selection, the protocol requires that Bob quantize

*r*according to its sign. If

_{B}*r*>0 Bob sets

_{B}*q*=1, otherwise, Bob sets

*q*=−1. We are interested in the conditional density matrix of Eve given Bob’s quantization result. Without loss of generality, we only analyze the case in which

*q*=1.

Because the system begins in a pure state, Eve’s density matrix becomes a function of Bob’s homodyne measurement result *X*. However, Bob’s quantization result not only depends on *X*, but also depends on *N _{el}*, which is independent of

*X*. We can always regard Eve’s conditional density matrix as a superposition of different

*ρ*̂

*with different probability*

^{X}_{E}*p*(

*ρ*̂

*|*

^{X}_{E}*q*=1). Therefore, Eve’s conditional density matrix can be written as Eq. (30),

We are now interested in *p*(*ρ*̂* ^{X}_{E}*|q=1). According Bayes’ theorem,

We have the expression for *p*(*ρ*̂* ^{X}_{E}*) from Eq. (28) and because of Alice’s symmetric signaling, we have $p\left(q=1\right)=\genfrac{}{}{0.1ex}{}{1}{2}.\phantom{\rule[-0ex]{.2em}{0ex}}p\left(q=1|{\hat{\rho}}_{E}^{X}\right)$ also depends on

*V*, which is the variance of the electronic noise.

_{el}Next we deduce *e _{AB}*. According to Eq. (7), in order to obtain

*e*, we have to calculate the signal-to-noise ratio of Bob. When the quantumchannel is introducedwith some excess thermal noise, Bob’s noise is actually made up of three different parts. The first part is the vacuumnoise, whose variance is always $\genfrac{}{}{0.1ex}{}{1}{4}$. The second part is the electronic noise, whose variance is

_{AB}*V*. And the third part is the thermal noise. The variance of the thermal noise depends on τ, which is the squeezing factor of Eve’s EPR source, and η, which is the quantum efficiency of the channel. Let the average thermal photon number be 〈

_{el}*n*〉. We have

_{th}Then Bob’s noise variance reads

Using Eq. (34) and Eq. (14), we can get the expression for signal-to-noise ratio for the case with excess noise, which is

### 3.3. QIQO CVQKD with post-selection

As discussed in the Section 1, the practical limitation on the key generation rate of CVQKD systems is computational time for reconciliation. Treating the channel as if it were a binary symmetric channel for reconciliation purposes, the complexity of error correction codes used in reconciliation decreases. Suppose that for a given code, the code length is *N* and the code rate is *R*=(1-*ε*)*C*, whereC is the channel capacity, in this case decoding time complexity is function of *ε* and *N*. Typically, it grows polynomially with *N*. It has also been conjectured in [25] that per-bit complexity of message-passing decoding of LDPC code over any ”typical” channel, such as a binary erasure channel or a binary symmetric channel, is $O\left(\mathrm{log}\genfrac{}{}{0.1ex}{}{1}{\pi}\right)+O\left(\genfrac{}{}{0.1ex}{}{1}{\epsilon}\mathrm{log}\genfrac{}{}{0.1ex}{}{1}{\epsilon}\right)$, where *π* is the decoding error rate. So the closer the code approaches the Shannon limit, the more complex the code. In other word, the requirement of high *β*
_{0} leads to very complex codes. Even so, the decoding error probability drops only polynomially with code length for LDPC codes, which requires even more time complexity to reduce the block error rate to suitable levels.

For the proposed QIQO CVQKD scheme, in order to have positive secrecy capacity, Bob’s signal-to-noise ratio must be very low, i.e., around 0.5, which causes *e _{AB}* to be very high, i.e., around 25%. In order to fit the error rate to the requirements of those good codes, we need to modify

*e*while also changing

_{AB}*β*

_{0}little. Post-selection satisfies these requirements.

Bob’s final measurement result is *r _{B}*=

*X*+

*N*when electronic noise is included. According to the proposed protocol, when

_{el}*r*> 0, Bob quantizes it into

_{B}*q*=1, otherwise Bob quantizes it into

*q*=−1. With post-selection, we set a threshold

*T*>0. Bob’s quantization rule is modified as follows: for the case

*r*>

_{B}*T*, he quantizes

*q*=1, for the case -

*T*≤

*r*≤

_{B}*T*, he sets

*q*=0 and for the case

*r*<-

_{B}*T*, he sets

*q*=−1. Finally, Alice and Bob discard data where

*q*=0 and only make error correction on those data where

*q*≠0. Bob’s decision rule for post-selection can be visualized in Fig. 4:

In order to get the expression for *ρ*̂_{E} under post-selection, we need to reevaluate the probability of each *ρ*̂* ^{X}_{E}*. We denote the new possibility as

*p*(

*ρ*̂

*|*

^{X}_{E}*q*≠0). Using Bayes’ theorem, it is rewritten to be

The first term of the numerator can be expanded as

The second term of the numerator can be had from Eq. (28). The denominator is the probability of selecting a result. It directly relates to the amplitude of the signal *u _{i}*, the variance of noise

*V*and the

_{B}*T*, and can be written as:

*ρ*̂* ^{X}_{E}* can be therefore written as

One must next calculate *p*(*ρ*̂* ^{X}_{E}* |

*q*=1). According to Eq. (31), several terms must be calculated. The first term on the numerator is exactly the same as Eq. (28). The second term of the numerator can be expanded to

Having obtained the preceding probabilities, we get *χ*(*B;E*) according to Eq. (10).

Finally, we calculate *e _{AB}* for post-selection. The symmetry of the states implies that the error rate is the same. So for simplicity, we only calculate the error rate when Alice encodes |

*α*

_{1}〉. We obtain:

The secrecy capacity for post-selection is obtained straightforwardly. We present numerical simulation results and compare them to the case without post-selection in Fig. 6.

We note that the post-selection we have proposed does not require high rate multi-bit A/D conversion. It requires only a hard threshold decision. For the case where *T*=1, almost 10% of the data is selected. Therefore, if the clock rate is high enough, post-selection will not be the factor that limits the system.

## 4. Discussion of results

Numerical simulation results for a few cases of interest are presented in Fig. 5.

Several observations are in order. First, as expected, it is clear that excess noise reduces secrecy capacity and lowers *β*
_{0}. This is as expected because we assumed that Eve could make use of the excess noise and thus achieve higher mutual information with Bob. Secondly, it is also clear why *β*
_{0} increases with increasing signal-to-noise ratio. This is because at higher SNRs, the signal amplitude increases, which leads Eve to better discrimination between the four states sent by Eve. In order to take advantage of coding, we require a relatively low *β*
_{0} and thus we require error correcting codes that work at low SNR. However, at low SNR, the error probability of the binary symmetric channel increases. As discussed in the previous section, very good codes have been found for binary symmetric channels but they are very sensitive to the error probability of the channel. In order to make those codes applicable to our case, we use post-selection on Bob’s received data so that the secrecy capacity (per retained bit) between Alice and Bob goes up dramatically, the error probability (per retained bit) drops dramatically, while the required *β*
_{0} remains almost constant. For 25km QIQO CVQKD, a threshold of *T*=1 is set for post-selection. This leads to postselection of 10% of Bob’s data. For 50km QIQO CVQKD, a threshold *T*=2 leads to retention of about 1% of Bob’s data. For example, with a broadband source with a symbol rate of 10GS/sec, the retained 1 GS/sec and 100 MS/sec for 25km and 50km QIQO CVQKD respectively. Therefore, the post-selection would not limit the clock rate of the system. For 25km QIQO CVQKD with post-selection, the ideal working region is at a signal-to-noise ratio about 0.25, where the secrecy capacity is 0.2bit/channel use, the error probability is less than 10% and the required *β*
_{0} is about 60%. For 50km QIQO CVQKD, the ideal working region is at signal-to-noise ratio about 0.15, where the secrecy capacity is 0.15bit/channel use, the error probability is less than 10% and the required *β*
_{0} is about 75%.

We have also made initial simulations on a simple error correction code and compared the results to previous CVQKD experiments based on post-selection. For 25 km QKD, after the post-selection process, we have an error rate about 7% on the BSC channel. We then use a standard unoptimized LDPC code that corrects all the errors. Running on a Mac laptop, we were able to decode at a processing rate of 600 kbps at an reconciliation efficiency of *β*=80%. The secrecy key rate per channel use when we take the inefficiency of the error correction code into account is Δ*I*=*βI*(*A;B*)−*χ*(*B;E*)=0.1 at 25 km at signal-to-noise ratio 0.45. This results after privacy amplification in a final key rate of 60 kbps at 25 km with channel loss 70%. This provides a speed-up by a factor of 25 over the existing experiment that uses a protocol secure against collective attacks.

Recently, we have become aware of a security analysis on binary modulated CVQKD system has been posted [17] after we presented most of these results [26]. That protocol uses two-state modulation instead of four-state modulation. It does not require quantum tomography. Instead, inequalities and maximum eigenvalues are found to get a upper bound for Eve. The inequalities result in an upper bound less tight than that found in this paper, which makes that protocolmore sensitive to channel excess noise. We also compare out result with [21], which is limited to 50 km with no excess noise. But the scheme proposed in this paper is secure beyond 50km with realistic excess noise and still has high secrecy capacity.

## 5. Conclusion

We have proposed a quantized input-quantized output continuous variable quantum key distribution protocol. By quantizing the data into binary, the decoding complexity is dramatically decreased. We have given a general proof for general collective attacks and shown numerical simulation results. In order to make the proposed system compatible with the requirements of existing high efficiency and high decoding speed codes, we have also proposed post-selection to allow choosing of the error rate of the binary symmetric channel such that β0 remains constant.

## 6. Appendix

Numerical simulation techniques

It is difficult to obtain analytical solutions for continuous variable quantum state, because it has infinite dimension. Unlike those protocols based on gaussian modulation of signal, discrete modulation only gives *conditional* gaussian states instead of global gaussian states. If the global state, such as *ρ*̂_{E}, is not Gaussian, it’s difficult to find a analytical solution for von Neumann entropy when there excess noise is introduced into the channel. Fortunately, as long as the amount of excess noise is small, it’s still possible to get numerical solutions.

From Eq. (23), one may see that if Eve’s two mode quantum state is expanded into Fock spaces, there would be infinite number of terms. But one may truncate the state into finite number of terms since when *τ* is small, the amplitudes for large photon numbers are so small that those terms are negligible. For this simulation, we have the excess noise about 0.005 of one shot noise unit and this leads to *τ*=0.033 for 25k*m* and *τ*=0.0167 for 50k*m*. Using only the first three terms of the expansion is then justified. In other words, the terms up to 2 photons are preserved. We let *EMAX*=2 denoting the maximal number of photons.

Now we can approximate Eve’s two mode state using the form in Eq. (42):

Then mode *ε _{n}* is interacted with mode

*a*. However, since the quantum state in mode

*ε*is represented in Fock space, it needs to be transformed into coherent form so that the operation of BS

_{n}_{1}is performed on two coherent states and the outcome of the operation is also coherent states. Here we use another approximationwhere |

*n*〉 is represented as the superposition of

*n*+1 coherent states [27].

where *c*(*r*) is used to normalize |n, r〉. We have

The accuracy of the approximation is

where |*c _{n}*|

^{2}is the probability amplitude of |

*n*〉 in |

*n,r*〉. In practice, we set

*r*=0 for |0〉 and

*r*=0.1 for other Fock states.

Thus, we write |Φ〉 in Eq. (46),

$$\mid \sqrt{1-{\eta}_{m}}{\left(\sqrt{\eta}{\alpha}_{j}+\sqrt{1-\eta}{r}_{n}{e}^{\genfrac{}{}{0.1ex}{}{2\pi ik}{n+1}}\right)\u3009}_{\mathrm{hom}}\mid {\sqrt{1-\eta}{\alpha}_{j}-\sqrt{\eta}{r}_{n}{e}^{\genfrac{}{}{0.1ex}{}{2\pi ik}{n+1}}\u3009}_{{\epsilon \prime}_{n}}.$$

We first trace over *a*′ mode to get the density matrix of mode *b*′, *ε*′_{n}, *εr* and hom.

i.e., the density matrix for mode *b*′, *ε*′_{n}, *εr* and *hom* is made up of 4 different pure states |Ω_{i}〉 dependingAlice’s measurement of the photon counting on mode *a*′. This exactly corresponds to the case in which Alice prepares one of the four coherent states and sends it to Bob. For each of the |Ω_{i}〉, Bob then make a homodynemeasurement on his mode *b*′. As have been discussed, the outcome of the homodyne measurement is a gaussian distributed continuous random variable with average value ${u}_{i}=\Re \left(\sqrt{\eta {\eta}_{m}}{\alpha}_{i}\right)$) and variance *V _{S}*. Physically, for each of the |Ω

_{i}〉, Bob’s measurement outcome has infinite possibilities. However, only those values distributed close to

*u*occur with high possibility. As an approximation, out simulation only takes the value in the range of [

_{i}*u*−6√

_{i}*V*+6√

_{S},u_{i}*V*]. Another approximation is that instead of processing the continuous data in the range [

_{S}*u*−6√

_{i}*V*+6√

_{S},u_{i}*V*], we divided it into

_{S}*XMAX*bins with equal widths and made un approximation that Bob’s measurement only has

*XMAX*different possibilities instead of infinite possibilities. Suppose each bin has left bound

*lb*and right bound

_{i,k}*rb*, with 1≤

_{i,k}*k*≤

*XMAX*. Then the measurement result is

*X*=(

_{i,k}*lb*+

_{i,k}*rb*)/2 with possibility $p({X}_{i,k})=\genfrac{}{}{0.1ex}{}{1}{\sqrt{2\pi {V}_{S}}}{\displaystyle \colorbox[rgb]{}{${\int}_{lbi,k}^{r{b}_{i,k}}\mathrm{exp}(-\genfrac{}{}{0.1ex}{}{{(x-{u}_{i})}^{2}}{2{V}_{S}})dx$}}$. The density matrix for mode

_{i,k}*ε*′

_{n},

*ε*and

_{r}*hom*can be approximately written as

where $|{\psi}_{i,k}\u3009=\genfrac{}{}{0.1ex}{}{\u3008{X}_{i,k}|{\Omega}_{i}\u3009}{\sqrt{\u3008{\Omega}_{i}|{X}_{i,k}\u3009\u3008{X}_{i,k}|{\Omega}_{i}\u3009}}$. In order get *ρ*̂_{E}, we further trace |*ψ ^{i,k}*〉〈

*ψ*| over mode

^{i,k}*hom*. For low signal-to-noise ratio, the average photon number in mode

*hom*is also low. If we use Fock basis to expand mode

*hom*, we can neglect those quantum states with large photon numbers. Suppose we can present mode

*hom*in Fock space and only keep the states up to

*HMAX*photons. Then

Therefore, *ρ*̂_{E} can be written as

where $|{\epsilon}_{i,j,k}\u3009=\genfrac{}{}{0.1ex}{}{\u3008j|{\psi}_{i,k}\u3009}{\sqrt{\u3008{\psi}_{i,k}|j\u3009\u3008j|{\psi}_{i,k}\u3009}}$ and *p*(*j*|*X _{i,k}*)=〈

*ψ*|

_{i,k}*j*〉〈

*j*|

*ψ*〉. Here we ignored the subscript for |

_{i,k}*j*〉

_{hom}. We define a global possibility $p\left(\mid {\epsilon}_{i,j,k}\u3009\right)=\genfrac{}{}{0.1ex}{}{1}{4}p\left({X}_{i,k}\right)p\left(j|{X}_{i,k}\right)$, then we can rewrite

*ρ*̂

*E*in the Eq. (51)

where we omitted the subscript *E* used to describe the mode. The problem of calculating the von Neumann entropy *S*(*ρ*̂*E*) is equivalent to solving the eigenvalue of the correspondingGram matrix [28]. Each element of the Gram matrix is

The non-zero eigenvalues of *G* are equivalent to the non-zero eigenvalues of *ρ*̂*E*. Suppose the non-zero eigenvalues of G are {*λ*
_{1},*λ*
_{2},…,*λ _{n}*}, then

The next thing that we are interested in is *p*(|*ε _{i,j,k}*〉|

*q*=1) for calculating

*S*(

*ρ*̂

_{E|q=1}). We first rewrite

*p*(|

*ε*〉|

_{i,j,k}*q*=1) according to Bayes’ theorem,

What we need to calculate is just the first term of the nominator. This was calculated as follows:

*ρ*̂_{E|q=1}=∑* _{i,j,k}p*(|

*ε*〉|

_{i,j,k}*q*=1)|

*ε*〉 we can calculate

_{i,j,k}*S*(

*ρ*̂

_{E|q=1}) following the Gram matrix that we have discussed above.

For the post-selection case, we need to calculate *p*(|*ε _{i,j,k}*〉|

*q*≠0). As what we’ve done above, we first rewrite it according to the Bayes’ theorem.

What we need to calculate is just the first term of the nominator. The method that we used to calculate this term is

Then *ρ*̂_{E}=∑* _{i,j,k}p*(|

*ε*〉|

_{i,j,k}*q*≠0)|

*ε*〉. We can then use the Gram matrix to calculate

_{i,j,k}*S*(

*ρ*̂

_{E}).

In order to calculate *S*(*ρ*̂_{E|q=1}) in the case with post-selection, we need to calculate the possibility *p*(|*ε _{i,j,k}*〉|

*q*=1). We first rewrite it according to Bayes’ theorem, which can be found in Eq. (54). But now the first term must be calculated differently. We can calculate it as Eq. (58),

Finally, we can get *ρ*̂_{E|q=1} and calculate *S*(*ρ*̂_{E|q=1}) according the above methods.

In order to demonstrate the accuracy of our numerical simulation results, we first compare it with the analytical solution in the limit of no excess noise. Here we picked up *τ*=1×10^{−6} in our numerical simulation. It shows that the difference of Δ*I* is only 6.5804×10^{−7} between numerical simulation and analytical results.

In the end, we give the comparison of the result we get by setting different parameters, i.e., *EMAX, XMAX, HMAX* and *r _{k}*. We can see that when

*EMAX*>2,

*XMAX*>20,

*HMAX*>6 and

*r*<0.1, we can see only tiny difference among different simulations. We believe that the simulation results are accurate enough for those parameters.

_{k}The simulation results with different parameters are shown in the TABLE 1. We took the secrecy capacity obtained at 25k*m* without post-selection with *EMAX*=2, *XMAX*=20, *HMAX*=6 and *r*=0.1 as a reference and note it as Δ*I _{ref}*. We give the difference of Δ

*I*

_{*}with the reference. We calculated $\stackrel{\u02c9}{\mid \Delta {I}_{\mathrm{ref}}-\Delta {I}_{*}\mid}$ and put the values into the TABLE 1.

From the results, we see that if we set *EMAX*=2, *XMAX*=20, *HMAX*=6 and *r*=0.1, we are already very close to the limit because if we further adjust the parameters, we get much less differences. In our final results, we just set *EMAX*=3, *XMAX*=30, *HMAX*=8 and *r*=0.05. We believe that these parameters give us numerical simulation results that are extremely close to the exact results.

## 7. Acknowledgments

This research was funded in part by the Agence National de la Recherche as part of the project HQNET. We thank Matthieu Bloch for discussions regarding LDPC coding.

## References and links

**1. **C. H. Bennett and G. Grassard, “Quantum Cryptography: Public Key Distribution and Coin Tossing,” in *Proceedings of IEEE International Conference on Computers*, Systems, and Signal Processing (IEEE, Newyork, 1984), pp. 175–179.

**2. **A. K. Ekert, “Quantum Cryptography Based on Bell’s Theorem,” Phys. Rev. Lett. **67**, 661–663 (1991).
[CrossRef] [PubMed]

**3. **M. A. Nielsen and I. L. Chuang, ‘Quantum Computation and Quantum Information, (Cambridge University Press, UK, 2000).

**4. **S. L. Braunstein and P. Van Loock, “Quantum information with continuous variables,” Rev. Mod. Phys. **77**, 513–577 (2005).
[CrossRef]

**5. **F. Grosshans, G. Van Assche, J. Wenger, R. Brouri, N. J. Cerf, and P. Grangier, “Quantum key distribution using gaussian-modulated coherent states,” Nature **421**, 238–241 (2003).
[CrossRef] [PubMed]

**6. **N. J. Cerf, M. Lévy, and G. Van Assche, “Quantum distribution of Gaussian keys using squeezed states,” Phys. Rev. A **63**, 052311 (2001).
[CrossRef]

**7. **F. Grosshans and P. Grangier, “Reverse reconciliation protocols for quantum cryptography with continuous variables,”quant-ph/0204127 (2002).

**8. **F. Grosshans and P. Grangier, “Continuous Variable Quantum Cryptography Using Coherent States,” Phys. Rev. Lett. **88**, 057902 (2002)
[CrossRef] [PubMed]

**9. **R. Namiki and T. Hirano, “Efficient-phase-encoding protocols for continuous-variable quantum key distribution using coherent states and postselection,” Phys. Rev. A **74**, 032302 (2006).
[CrossRef]

**10. **F. Grosshans, “CollectiveAttacks and Unconditional Security in Continuous Variable Quantum KeyDistribution,” Phys. Rev. Lett. **94**, 020504 (2005).
[CrossRef] [PubMed]

**11. **M. Navascués and A. Acín, “SecurityBounds for Continuous Variables Quantum Key Distribution,” Phys. Rev. Lett. **94**, 020505 (2005).
[CrossRef] [PubMed]

**12. **R. García-Patrón and N. J. Cerf, “Unconditional Optimality of Gaussian Attacks against Continuous-Variable Quantum Key Distribution,” Phys. Rev. Lett. **97**, 190503 (2006).
[CrossRef] [PubMed]

**13. **M. Navascués, F. Grosshans, and A. Acín, “Optimality of Gaussian Attacks in Continuous-Variable Quantum Cryptography,” Phys. Rev. Lett. **97**, 190502 (2006).
[CrossRef] [PubMed]

**14. **J. Lodewyck, M. Bloch, R. Garcia-Patron, S. Fossier, E. Karpov, E. Diamanti, T. Debuisschert, N.J. Cerf, R. Tualle-Brouri, S. W. McLaughlin, and P. Grangier, “Quantum key distribution over 25 km with an all-fiber continuous-variable system,” Phys. Rev. A **76**, 042305 (2007).
[CrossRef]

**15. **M. Heid and N. Lütkenhaus, “Security of coherent-state quantum cryptography in the presence of Gaussian noise” Phys. Rev. A **76**, 022313 (2007).
[CrossRef]

**16. **V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “Title: A Framework for Practical Quantum Cryptography”arXiv:0802.4155(2008).

**17. **Y. Zhao, M. Heid, J. Rigas, and N. Lütkenhaus, “Asymptotic security of binary modulated continuous-variable quantum key distribution under collective attacks,” Phys. Rev. A **79**, 012307 (2009).
[CrossRef]

**18. **Ch. Silberhorn, T.C. Ralph, N. Lütkenhaus, and G. Leuchs, “Continuous Variable Quantum Cryptography: Beating the 3 dB Loss Limit” Phys. Rev. A **89**, 167901 (2002).

**19. **C. Weedbrook, A. M. Lance, W. P. Bowen, T. Symul, T. C. Ralph, and P. K. Lam, “Coherent-state quantum key distribution without random basis switching” Phys. Rev. A **73**,022316 (2006).
[CrossRef]

**20. **A. M. Lance, T. Symul, V. Sharma, C. Weedbrook, T. C. Ralph, and P. K. Lam, “No-Switching Quantum Key Distribution Using Broadband Modulated Coherent Light,” Phys. Rev. Lett. **95**, 180503 (2005).
[CrossRef] [PubMed]

**21. **T. Symul, D. J. Alton, S. M. Assad, A. M. Lance, C. Weedbrook, T. C. Ralph, and P. K. Lam, “Experimental demonstration of post-selection-based continuous-variable quantum key distribution in the presence of Gaussian noise,” Phys. Rev. A **76**, 030303(R) (2007).
[CrossRef]

**22. **J. Singh, O. Dabeer, and U. Madhow, “Capacity of the Discrete-Time AWGN Channel Under Output Quantization,” arXiv:0801.1185v1 (2008).

**23. **V. Buẑek and G. Drobný, “Quantum tomography via the MaxEnt principle,” J. Mod. Opt. **47**, 14/15 pp. 2823–2839 (2000).

**24. **R. Ahlswede and P. Lober, “Quantum data processing,” IEEE Trans. Inf. Theory , **47**, 1 pp 474–478 (2001).
[CrossRef]

**25. **K. Khandekar and R. J. McEliece, “On the complexity of reliable communication on the erasure channel,” in Proc. IEEE Int. Symp. Information Theory, Washington, DC, Jun. 2001, p. 1.

**26. **Z. Zhang and P. L. Voss, “A path towards 10 Gb/s continuous variable QKD,” LPHYS08, Trondheim, Norway. July 2008.

**27. **J. Janszky, P. Domokos, S. Szabó, and P. Adam, “Quantum-state engineering via discrete coherent-state superpositions,” Phys. Rev. A **51**, 5 (1995).
[CrossRef]

**28. **R. Jozsa and J. Schlienz, “Distinguishability of States and von Neumann Entropy,” arXiv:quant-ph/9911009v1, 3 (1999).